Professional Documents
Culture Documents
requirements
1
CSAT version 2.05 Scan and installation requirements
Cyber Security Assessment Tool
Scan and installation requirements
Copyright notice
©2023 QS solutions B.V. and its subsequent entities. All rights are reserved.
The information contained in this e-mail or document is exclusively intended for the addressee[s]
and may contain personal or confidential information, subject to a professional privilege. Any use of
this information by others than the addressee[s] or by persons not entitled to access this
information is not permitted. If you are not the addressee or if you are not entitled to access this
information, you are obliged to refrain from disclosing, multiplying, distributing and/or providing this
information to third parties and you are requested to return this e-mail/document and destroy the
original.
Disclaimer
The use of this document is for informational purposes only and reflects the publisher’s opinion as
per date of publishing. Liability is limited to the publisher’s terms and conditions as depicted in the
underlaying master-agreement and/or purchase order.
2
CSAT version 2.05 Scan and installation requirements
1. CSAT general information
CSAT Installation and Data Storage
The Cyber Security Assessment Tool (CSAT) is installed in your IT infrastructure. CSAT collects data and
stores it on a machine within your infrastructure. The data is not shared with any third party, so only
those authorized by your organization can access it. There is no method for QS solutions or any third
party to access the data on the machine, other than parties provided with access by your organization.
To install CSAT, you can either use the pre-installed CSAT Azure Marketplace offering, or install CSAT
on a local machine. Use the flowchart below to decide which option works best for you.
Do you have an
Yes
Azure Subscription?
No
Are you willing to
Is there a site to site
setup a (temporary)
No No VPN connection to
site to site VPN to
Azure?
azure?
Yes
3
CSAT version 2.05 Scan and installation requirements
2. CSAT Server Requirements
CSAT installations only work on clean operating system installations. This means the operating
system is a default Windows installation, using Microsoft installation media, and is not joined to a
domain. Existing components or hardening may interfere with the CSAT components.
If you want to apply hardening, and Active Directory Domain Policies to your operating system, you
should do this after installing CSAT. Installing CSAT on a system that's not a clean installation could
fail and possibly make the device unstable or unusable for its purpose.
When you install the CSAT server software, it will also install PostgreSQL and Microsoft .NET Core on
your device. To install CSAT, you must have (local) administrator privileges on the device.
Should you choose to use an Azure Virtual Machine, we recommend using the Azure template
D4s_v5 or one with better specifications. CSAT is also listed in the Azure Marketplace.
For the best CSAT experience, we recommend using CSAT with either Edge or Chrome on the CSAT
server.
4
CSAT version 2.05 Scan and installation requirements
3. Scan requirements
List of required credentials to setup the scans
This is the list of required credentials for setting up the scans. Credentials are to be provided in the
CSAT user interface.
• Active Directory
o Domain user (single forest scan)
o Domain Administrator (multi forest scan)
• Google Workspace
o Google Workspace administrator account
• Microsoft Cloud
o Account with Global Administrator permissions
• Amazon Web Services (AWS)
o Account with AdministratorAccess role
• SharePoint On Premises
o An account with Site Collection Administrator permissions
• Endpoints
o Windows: Local administrator or Domain administrator permissions
o Linux (SSH): SUDO permissions
• GitHub
o User with permissions to add a GitHub app to the organization
Active Directory
CSAT uses LDAP or LDAPS (over SSL) to collect data from Active Directory (AD) by executing LDAP(S)
queries to an AD domain controller. To make sure the AD scan works, make sure that the LDAP(S)
ports and the 'active directory local security authority ports' are allowed. You can find these ports on
this page: https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-
overview-and-network-port-requirements#active-directory-local-security-authority.
You can start an AD scan of a single domain with a normal user account. To scan a forest, you need
an account with domain administrator permissions.
If you enable the 'LAPS GPO scan' option in the AD scan, a dissolvable agent is used to collect the
GPO information. After the dissolvable agent finishes scanning and uploading the data to the CSAT
server, the downloaded files and directories are automatically removed from the endpoint. This
means no CSAT related footprint is left behind, following the principle known as "dissolvable agent"
or "agentless."
Google Workspace
CSAT uses Google API to scan the Google Workspace environment. To use this feature, you need to
create a Google Developer application during the scan setup. To scan, CSAT needs to access
"https://www.googleapis.com" and all its subpages. If your security policies restrict access to certain
URLs, make sure to allow these for the CSAT server.
The CSAT scan does not work when there is a proxy server or SSL inspection in place. The CSAT
server traffic needs to be exempted from the proxy/SSL inspection. When using a proxy, ensure that
throttling is configured to not cut off the connection. Some scans may take a couple of days to
complete depending on the size of the environment.
5
CSAT version 2.05 Scan and installation requirements
Microsoft Cloud
CSAT uses the Microsoft Graph API to scan Microsoft Cloud services. To do this, an Azure Active
Directory application needs to be created on the Azure tenant to be scanned. This app must be
approved by a Global Administrator and will be created during the scan setup.
During a Microsoft Cloud scan, the CSAT server needs to be able to access various Microsoft services.
You can find a list of these services at https://docs.microsoft.com/en-us/microsoft-
365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide. The CSAT server also needs to
access https://csatreleases.blob.core.windows.net/public/ and
https://csatrelease.blob.core.windows.net/release/ to create the Azure Active Directory application.
The CSAT scan does not work when there is a proxy server or SSL inspection in place. The CSAT
server traffic needs to be exempted from the proxy/SSL inspection. When using a proxy, ensure that
throttling is configured to not cut off the connection. Some scans may take a couple of days to
complete depending on the size of the environment.
To create the Azure AD application in the correct tenant, use a "Member" type account to log in to
the "AzureAppCreator" tool from CSAT. If you use a "Guest" type account, the application won't be
created on the correct tenant.
SharePoint On-Premises
CSAT uses two methods to collect data from SharePoint On-Premises. The first method collects data
using the SharePoint API service, which has some requirements:
- Your SharePoint edition must be 2016 or newer, and either Standard or Enterprise edition.
- The ports 80 and 443 must be allowed between the CSAT server and SharePoint server(s).
- The Search service application must be enabled.
- You need a SharePoint administrator account with the role of "Site Collection Administrator"
for all the site collections you want to scan. This account must run under the Search service
application.
The second method collects data with a dissolvable agent called "SPcsat_dwnldr.exe" and
"SPcsat.exe". This agent works the same as the endpoint scan dissolvable agent.
Endpoint Scan
Windows endpoints
To scan Windows endpoints, you can use one of the following methods:
1. Scan Scope Method: This method is suitable for Windows Domain joined endpoints or
endpoints that can directly connect to the CSAT server.
2. Cloud Scan Script Method: This method is used for Windows endpoints that cannot directly
connect to the CSAT server.
3. Run Once Script Method: This method provides a manual scan option.
6
CSAT version 2.05 Scan and installation requirements
Dissolvable agent
All scan methods utilize csat.exe to collect data from the endpoint. Once the scanning process is
complete and the data is uploaded to the CSAT server, the downloaded files and directories are
automatically removed from the endpoint. This approach is called a "dissolvable agent" or
"agentless," ensuring that no CSAT-related traces are left on the endpoints.
• The first technique is Remote Scheduled tasks. A scheduled task is created on the endpoint
that will download the agent file from the CSAT server and start the agent.
• The second technique is the WMI with SMB support. The agent will be sent over SMB to the
endpoint. The sent agent will be started through WMI.
• The last technique is via WMI only. The agent will be sent as an encoded file over WMI and
decoded. A command will be sent over WMI to start the agent.
The above techniques will be tried sequentially. If one technique does not provide the appropriate
response, CSAT will try the next technique. Because certain techniques require certain features or
firewall rules to be enabled.
When a technique is used that involves WMI, it is important to ensure that the WMI services are
properly configured on the endpoint to collect comprehensive information. Issues like corrupted
WMI repositories or incorrect client network setup can result in limited data collection.
Prerequisites for using the cloud scan script method are as follows:
• If the CSAT server has four CPUs, the dissolvable agent will be sent to two endpoints at a
time.
7
CSAT version 2.05 Scan and installation requirements
• If the CSAT server has five CPUs, the dissolvable agent will be sent to four endpoints
simultaneously.
• If the CSAT server has more than five CPUs, the number of simultaneous dissolvable agents
sent is the total number of CPUs minus two. For instance, if the CSAT server has fifteen
CPUs, the dissolvable agent will be sent to thirteen endpoints at the same time.
During the endpoint scanning process, CPU usage ranges from 1 to 5 percent, and memory usage is
between 40 and 70 MB. Once the data is collected, it is compressed into a zip file and sent back to
the CSAT server. Typically, the size of the zip file is around 100 KB. Since not all endpoints are
scanned concurrently, the data sent over the network from the scanned endpoints to the CSAT
server usually peaks at around 100 MB.
Linux endpoints
To gather information from Linux endpoints, the scanning process is done through SSH. You can scan
a Linux endpoint by enabling SSH on it. Here are some key points to consider:
• Ensure that the configured SSH port is open both from and to the endpoint(s) and the CSAT
server. The default TCP port for SSH is 22, but using a custom configured SSH port is also
supported.
• Make sure that the account used for scanning has SUDO permissions. This ensures the
necessary privileges are granted to collect the required information.
Client type Scan level Browser scan Average scan time Zip file size
Windows Client OS 5 Off 2 min 0,2 MB
Windows Client OS 5 On 2 min 02 sec 1,2 MB
Windows Client OS 9 Off 2 min 0,4 MB
Windows Client OS 9 On 2 min 30 sec 1,5 MB
Windows Server OS 5 Off 1 min 10 sec 0,1 MB
Windows Server OS 9 Off 1 min 15 sec 0,2 MB
• .NET Framework: Ensure that the endpoints have at least version 3.5 or higher of the .NET
Framework installed.
• Network configuration: If you have internal firewalls, VPN, IPS, IDS, or network ACL solutions
in place, make sure they allow traffic from the CSAT server to the targeted endpoints. Ensure
that there are no blocking rules that would hinder communication.
• Anti-virus/Anti-malware Software: Check that the anti-virus/anti-malware software permits
the execution of CSAT.exe in the C:\windows\temp folder.
• Windows Endpoints: To scan Windows endpoints, use a local administrator or domain
administrator account. We recommend creating a temporary CSAT scanning account, which
can be removed or inactivated after the scan is completed.
• Linux Endpoints: For scanning Linux endpoints, ensure that the specified account in the CSAT
scan scope is a member of the sudo group. This is necessary as certain commands require
sudo permissions.
8
CSAT version 2.05 Scan and installation requirements
To enable scanning by the CSAT server, inbound firewall rules must be enabled for the active firewall
profile on the endpoints. Windows Firewall includes predefined rules that need to be enabled for
the active firewall profile. The required ports are listed in the next section.
GitHub
To collect information from GitHub Advanced Security, the CSAT server must have access to the
GitHub repository and organization URLs. CSAT will use a GitHub app to scan. Hence, the account
being used should have the permission to create this GitHub app.
Email DNS
During the Email DNS scan, the CSAT server collects information about DNS Sec, SPF, DKIM, and
DMARC from external DNS records. For DNS Sec information, the CSAT server needs to access
mxtoolbox.com and its subpages. The default IP addresses used to collect SPF, DKIM, and DMARC
records are 1.1.1.1 and 8.8.8.8. This information is gathered using the UDP protocol.
SNMP
You can collect information from devices that have the SNMP v1, SNMP v2, and SNMP v3 services
enabled. To scan SNMP devices successfully, ensure that the SNMP UDP port 161 is open for
communication between the SNMP devices and the CSAT server.
For the three endpoint scan methods explained earlier, the following antivirus exclusions should be
applied:
• C:\Windows\Temp\csat\csat.exe
9
CSAT version 2.05 Scan and installation requirements
Firewall / Network Requirements
CSAT utilizes the following ports for its services.
On endpoint devices:
The following ports are inbound for the active firewall profile. It is highly advised not to enable
these ports within the Public Network profile. Depending on your network security
policy/configuration, in certain network environments, you may need to add the IP address of the
CSAT server as the originating IP address to the firewall rules mentioned below.
Firewall rule name Group Port Used for Used by
technique
File and Printer File and Printer 139 NetBIOS Session to WMI only
Sharing (NB-Session- Sharing the endpoint
In)
File and Printer File and Printer 445 send SMB data for WMI only
Sharing (SMB-In) Sharing the dissolvable agent
Remote Event Log Remote Event Log RPC Dynamic Create and run the Remote
Management (RPC) Management Ports CSAT task Scheduled tasks
Remote Scheduled Remote Scheduled RPC Dynamic send SMB data for Remote
Tasks Management Tasks Management Ports the dissolvable Scheduled tasks,
(RPC) agent, or create and WMI with SMB
run the CSAT task support, WMI
only
Windows Windows 135 Initial WMI WMI only
Management Management connection
Instrumentation Instrumentation
(DCOM-In)
10
CSAT version 2.05 Scan and installation requirements
Windows Windows All (only allow Send the CSAT WMI with SMB
Management Management svchost.exe) dissolvable agent support, WMI
Instrumentation Instrumentation files to the endpoint only
(WMI-In)
Note: When creating custom firewall rules, ensure they do not conflict with other rules or have block
rules placed before allow rules.
In environments where outbound traffic from endpoints is restricted, it is recommended to add the
following rule to the firewall profile of the endpoint:
11
CSAT version 2.05 Scan and installation requirements